CreateTelegramClawAgent
v1.0.0Create a new Telegram agent in OpenClaw with proper configuration. Use when user wants to create a new Telegram bot agent, including setting up agent workspa...
⭐ 0· 195·0 current·0 all-time
byWoo, Hedy@4t-shirt
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (create a Telegram agent) align with the instructions: collecting a token, generating agent configuration, creating workspace/agent directories, and updating openclaw.json. The requested actions are expected for this purpose and there are no unrelated credential or binary requests.
Instruction Scope
Instructions are narrowly scoped to agent setup (collect inputs, prepare JSON snippets, create directories, update openclaw.json, write AGENTS.md and SOUL.md). Two practical concerns: the skill assumes a macOS-style path (/Users/<user>/...) rather than using the actual HOME or platform-agnostic paths, and it will write the bot token into openclaw.json (plain-text secret storage) without describing protection, backups, validation, or atomic update. Also the SKILL.md contains a confusing line 'CRITICAL: DO NOT MODIFY openclaw.json DIRECTLY' alongside steps that update openclaw.json after confirmation — clarify whether the skill will or will not perform the modification itself.
Install Mechanism
Instruction-only skill with no install spec and no code files; nothing is downloaded or installed, which minimizes risk.
Credentials
No environment variables or external credentials are requested by the skill itself (the user supplies the Telegram token). Storing the provided bot token in openclaw.json is expected for this feature but is a sensitive operation; the skill does not mention securing the token, restricting file permissions, or backing up the config.
Persistence & Privilege
always is false and the skill is user-invocable only. The skill writes files only within the user's OpenClaw config/workspace paths (as described). It does not request system-wide privileges or modify other skills.
Assessment
This skill appears to do what it says, but review these items before using it:
- Confirm who you trust: the skill source is unknown, so ensure you trust the instructions before giving it a bot token.
- Backup openclaw.json first (make a copy) so you can restore if the file is corrupted.
- The SKILL.md uses a hard-coded /Users/<user>/... path; ensure it will write to the correct home directory on your OS (use $HOME or the platform-appropriate path), otherwise update the paths.
- The skill will write your Telegram bot token into openclaw.json in plain text. If you proceed, restrict file permissions (e.g., chmod 600) and consider whether your environment requires secret encryption.
- Ask the skill (or implement) to validate inputs and check for existing agent id/name collisions before modifying config.
- Clarify the apparent contradiction: it says 'DO NOT MODIFY openclaw.json DIRECTLY' but then lists steps to update openclaw.json — confirm whether the skill will make changes itself after explicit confirmation or only provide instructions for you to copy.
- Prefer atomic edits and a backup/verify step: write to a temp file and validate JSON before replacing the live openclaw.json.
- After applying changes, follow the recommended restart/test steps and verify the agent appears in OpenClaw and the bot token functions as expected.
If you want, provide the exact home path you use and any existing openclaw.json contents (or a copy) and I can point out exactly what lines would be added and produce a safe, validated patch you can apply manually.Like a lobster shell, security has layers — review code before you run it.
latestvk9725r407t58yfttyhq0nt08b582v303
License
MIT-0
Free to use, modify, and redistribute. No attribution required.